Techniques
Sample rules
Splunk Identified SSL TLS Certificates
- source: splunk
- technicques:
- T1040
Description
The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL.
Detection logic
tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk*
| stats values(src) AS "Host(s) with Default Cert" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype
| `splunk_identified_ssl_tls_certificates_filter`